#which was a big revelation overall to the world but its use here was injecting a collar/bracelets with electricity via runes. so that it
Explore tagged Tumblr posts
Text
Tiebreaker - Mazirek, Kraul Death Priest vs Polukranos, Unchained
Hi folks! Yesterday, these two cards both got 177 votes in Batch 2.3, leading to a tie. I don’t vote in the polls so that I can be the tiebreaking vote when it’s needed. So here I am doing that.
I am going to be using the same format as I did for the ties in the original Magic Bracket - see this old post for an example. Essentially I will provide a written analysis on each card over five categories, and then finish with scores. If the scores also tie then my personal favourite gets the nod. The categories are:
- Quality of design, scored out of 10 - Power level, scored out of 5 (overpowered cards will score lower) - Flavour, scored out of 5 - Art, scored out of 5 (combined across multiple arts if there are any) - Place in Magic history, scored out of 5
Let’s get stuck in.
Mazirek, Kraul Death Priest
Design
Fittingly for a death priest, Mazirek cares about death - specifically, he’s one of the relatively few cards that care about sacrificing. While we’re more used to seeing this on black-red cards in recent years, Mazirek was printed in Commander 2015 and the sacrifice-matters element is perfectly at home in black. While it doesn’t feel green, the reward you get - +1/+1 counters on all your creatures - certainly does, and Mazirek has a solidly black-green feel as a result. And by both caring about death and growth/life, he also feels specifically Golgari - which matters as the Kraul are a Golgari insect group. Sacrifice-matters probably does play better in black-red (where red’s ability to sacrifice its own stuff lines up nicely), but it’s not massively out of place here.
Having flying (which makes sense for an Insect) but a measly 2/2 body for 5 also guides the player to imagining growing him into a massive threat through adding lots of sacrifice effects. The design is also kept light by not having Mazirek provide any inherent way of sacrificing things or making sacrifices happen - the player has to provide their own. This is pretty common for these kinds of designs, but is good because it means the rewards can be a bit juicier, as the player has to provide a sacrifice payoff, an enabler, and likely some fodder - although making your opponent sacrifice things also works!
One ding against the sacrifice trigger is that it does require players to handle a small bit of rules knowledge - specifically, identifying the “sacrifice” keyword action and understand which things are and aren’t sacrifices. And effects that make temporary tokens are annoyingly inconsistent about whether the tokens are exiled or sacrificed, which sets up a bit of a reading debt.
Power level
Fittingly for a card from a Commander precon, Mazirek is pretty potent. He can grow your team quite substantially with a few triggers, even if he doesn’t provide you an in-built way of getting them, and promises unbounded payoff. Combined with a sacrifice outlet and something with Persist can even make infinite combos, which is pretty compelling as a power option. Mazirek is technically legal in Eternal formats, but isn’t up to grade there - but that’s not a mark down on him as few cards are.
Mazirek ranks #278 on EDHREC, as the Commander of 424 decks, and as a card appears in 4% of decks on the platform. This indicates a potent and popular Commander card.
Flavour
Mazirek, as mentioned above, is the leader of the Kraul, the Golgari insect race. His card name certainly conjures up a lot of what’s going on with him - “Death Priest” is quite a title, and gets across both the death-focused aspect of the Golgari as well as the Kraul’s society - Mazirek was the leader of the Kraul race until his death in the War of the Spark storyline. His name is also fun to say - and feels quite insectile. It’s a shame that the “priest” title, which feels more like a Cleric, is not matched with his typeline, where he is a Shaman. There are plenty of green and even black-green Clerics, so this does feel like a minor ding.
Mazirek’s flavour text reinforces the “insect” thing nicely, with talks of clicks and buzz, and the very Metal “incarnation of decay”. Overall the picture of a rotten, death-feeding entity is well sold. Being empowered by death is a flavourful concept, but “sacrificing” specifically is hard to convey as a flavourful concept - it’s a bit too mechanical.
Art
Mathias Kollros’s piece revels in the black-green colour palette we’d expect from a Golgari legend, and shows the central figure suggestively in dark greens and yellow highlights, but with the details hidden by strong green-white backlighting. The posing emphasises the many additional limbs that Mazirek has over a humanoid figure, with his wings and extra legs, as well as his elevated position. Some drippy, slimy looking moss decorates his podium and the darker edges of the piece give us the sense that we’re in the Kraul’s tunnels. After adjusting to the main image we also see the eggs at the edges of the image, adding to the insect / creepy vibe for an overall very effective piece.
Note that the colour palette appears to have been significantly darkened from the original printing for the later Double Masters version for no clear reason. I think the original printing is the superior.
Place in Magic history
Other than a supporting role in the Ravnica / War of the Spark storyline, Mazirek doesn’t have much to write home about here - no particularly unique or interesting things about him.
Polukranos, Unchained
Design
From this year’s Theros: Beyond Death, we have the zombified version of Polukranos. Originally gaining infamy as Polukranos, World Eater, this hydra is now presented in a black-tinged version - our second black-green card. He starts out with square stats as a very undercosted-seeming 4-mana 6/6, before later promising to escape as a 6-mana 12/12. The “permanent damage” drawback here is something originally seen on Judgment’s Phantom creatures, which only ever lost one counter per instance of damage; the counters-per-damage version was premiered on M11′s Protean Hydra as a “heads” metaphor, and was also seen on Ugin’s Conjurant. Conjurant and Polukranos share an important improvement - they only apply the replacement effect while they actually have a +1/+1 counter, which stops them becoming invincible if you raise their toughness some other way.
As well as being a big reservoir of power and toughness, this newer version of Polukranos connects mechanically to the original by including a fight ability - and a very rare repeatable one at that. This opens up some interesting options whereby if Polukranos has shrunk too much, you can fight him off in order to have him die and then be able to escape and reset him with his final Escape ability. Polukranos has the highest card-cost for any Escape card, needing six other cards to come back - justified by his massive size upgrade when you do so.
The design overall hits some of the right notes for the established Polukranos power set - beefy and activated-ability-fighting - while adding some interesting play patterns with the Escape mechanic. It doesn’t do a great job of feeling green-black to me instead of just green however - monogreen has Escape cards and that’s all that black is really bringing to this package other than a generic multicolour power injection and the Zombie creature type. And the design is very busy, with a lot of text and moving parts that is a bit confusing to play.
Power level
While being a Limited powerhouse, Polukranos hasn’t managed to get anywhere in general constructed thanks to competing for resources with the far superior Uro, Titan of Nature’s Wrath, which is commonly played with black.
In Commander, EDHREC shows Polukranos, Unchained at rank #494 as a Commander of 170 decks, and appearing in 3% of decks. The combo with Vigor is particularly nice - you can choose to apply Vigor’s replacement effect instead of Polukranos’s own one and have him grow every time he fights instead of shrinking!
Flavour
The name is straightforward enough - and connects with the art - but not inspired. The lengthy rules text doesn’t even leave room for Escape reminder text, let alone flavour text. The character of Polukranos is of a dangerous monster that Elspeth had to defeat in the original Theros storyline as the champion of Heliod, but the new version is just “that same guy from before, only he escaped from the Underworld”.
Art
Chris Rahn is one of Magic’s most notable current artists, with a great ability to render detailed fantasy images with beautiful details. The purple-and-grayish hues of the underworld are used here to show the location, and nicely we see the upper purple head of Polukranos blending with the beautiful night sky.
And those purple heads are shown coming from the same root - I believe they are actually regrowing at the time of the art! There are a lot of nice visual indicators of this - a pinkish glow showing where the stump was, the purplish colour of the two new heads, and the fact that those are a little smaller than the other four. The new heads both have collars on so I imagine these are magical collars designed for a hydra - but the art also shows that the chains weren’t strong enough, as the name tells us. A close look shows a loose chain breaking a statue in the foreground - and the other foreground figures help sell the size of the monstrous creature in front of us. The overall mood is “Oh s***, the monster has got loose!”.
Place in Magic history
We have a minor storyline character here and the card has no particular resonance or important part to play, so not looking at a whole lot here.
Final verdict
Mazirek, Kraul Death Priest
Design - 7/10 Power level - 4/5 Flavour - 3/5 Art - 5/5 Place in Magic history - 2/5 TOTAL - 21/30
Polukranos, Unchained
Design - 6/10 Power level - 3/5 Flavour - 2/5 Art - 4/5 Place in Magic history - 2/5 TOTAL - 17/30
Good luck to Mazirek, Kraul Death Priest in Round 3!
12 notes
·
View notes
Text
Andre Drummond’s hot start only raises more questions
Andre Drummond is having a career year for the Pistons.
The Pistons’ big man is having a career year. Can we trust it?
The NBA is littered with players who stifle their own talent. Plenty good enough to dominate their role, they misunderstand/outright reject who they are, and how they can best impact winning. Andre Drummond has been on this list for most of his career, but right now it’s worth wondering if he’s nearing off it.
Nine games into his eighth season, Drummond is averaging 22 points — a personal best by a significant margin — and has never been more efficient. He leads the league in minutes, and only Giannis Antetokounmpo has made more baskets. Drummond’s rebounding has always been comically dominant, but right now the gap between him and everybody else is over 50 boards. At 26 years old, he’s already the best rebounder of his generation, and it’s not particularly close.
All these stats are amazing, but it’s too early to call them a revelation, or use them to erase the myriad questions that still contaminate Drummond’s overall effect. Even if they sustain, there’s a harmful insecurity in Drummond’s game that has increasingly led him outside the lane any competitive team would prefer he stay in. The putbacks, one-dribble drop steps, and picks that peel defenders off teammates are all helpful.
But for every sign of progress — he’s shooting a career-best 67.3 percent from the free-throw line and the percentage of his possessions that end as a roll man are currently double what they’ve been over the past few years! — there lies a hideous push shot, unnecessary foul, or forced foray into a reminder that every player has their limit. Right now Drummond averages more seconds and dribbles per touch than every other center except Julius Randle — aka more than Joel Embiid, Nikola Jokic, Karl-Anthony Towns, and Anthony Davis. This should not be.
“Every year, [Drummond] is going to bring something new to the table,” Pistons head coach Dwane Casey recently told reporters. On its face that’s not a bad thing. But just because he wants to moonlight as a point guard and shoot threes doesn’t mean he should. Take whatever it is Drummond tried to do here — which was followed by a booming and hilarious HELL NO from the Wizards bench — as an example. Sequences like this have not been rare this season:
Not all of this is his fault. Drummond is compelled by a roster that’s been ravaged by injuries to several important pieces, including Blake Griffin, Derrick Rose, and Reggie Jackson. Last year, the Pistons fell apart on offense when Griffin played without Drummond; lineups featuring both were as efficient as the Milwaukee Bucks. Now, surrounded by Markieff Morris, Bruce Brown, and Tony Snell, opportune moments are unavoidable. It’s hard to get mad when he rumbles coast-to-coast for an and-one or pings a perfect bounce pass from the elbow. And there’s value in Drummond reminding defenses they aren’t facing Rudy Gobert:
Parsing productive growth from self-serving desire isn’t easy, though, especially in an NBA that’s trending towards generalists and away from niche skill-sets. Common sense would tell you that it’s beneficial to have Drummond explore different ways he can impact a game. But too much of what he does has the feel of a high-school student skipping their actual homework assignment to do extra credit.
When he sticks to what he’s great at, you can’t help but wonder how he’d do surrounded by players who fill in the areas he wants to occupy. Picture Drummond injected into a reality-check ecosystem that doesn’t let him test drive skills that belong in a garage. If he can ever self-simplify his responsibilities, opt to maximize what he already does well, and, you know, try harder, that’s a wrecking ball.
That expectation is a leap of faith against over 17,000 minutes of evidence; Drummond is -374 for his career. Context regardless, it’s OK to think he’ll never reach whatever ceiling many believed he had after his first couple seasons. At the same time, it’s also OK to believe the trajectory of his career will eventually tick up once he accepts who he is. That type of power is undeniably important.
Drummond sprints the floor when there’s a carrot at the end of a stick. He’ll outrun his man, seek contact for the seal, make himself a target, then finish strong at the rim. Hurray. Unfortunately, every compliment is accompanied by a catch. Beyond his impaired technical prowess, Drummond’s energy level fluctuates with infuriating regularity: It’s hard to embrace a defensive identity when your starting center refuses to sprint back in transition.
Drummond compounds the issue by spending a good chunk of his minutes in foul trouble, a habit that tampers down those fiery moments that are hard to forget. When active and committed, he’s a nightmare in the paint.
It’s all very tantalizing, and not seeing him play that way from possession to possession, let alone quarter to quarter or game to game is what makes Drummond such an exasperating figure. It also makes you wonder what he could do as the third wheel on a different team, one able to harness all his strengths the right way.
A trade feels highly unlikely anytime soon. Detroit’s owner, Tom Gores, loves Drummond. But when asked about the organization’s path one month ago, Gores also said “I think right now we feel really good about where we’re at. Obviously, we have to succeed and win, and judge by if we’re not winning. But right now we feel really good about it.”
The Pistons have tread water without Griffin, and if barely making/missing the playoffs is how they want their foreseeable future to go, they’ll sit tight with them both. But logic suggests a shakeup at some point. And if Drummond continues to produce at a rate unseen since Neil Armstrong walked on the moon, will Gores sell high?
Chances are it won’t matter. Drummond can exercise a $28.5 million player option and become a free agent this summer. It’s hard to imagine any playoff team 1) believing he can push them over the top, while 2) sacrificing enough assets to make a trade worth Detroit’s while.
For fun, though, there are a few teams that should poke around, pending their own need to shake things up/prepare for a lengthy playoff run. Drummond makes conceivable sense on every team in Texas. It’s way too early for any one of them to bend over backwards in a negotiation, but perhaps Detroit will listen if the Houston Rockets ever feel desperate enough to offer Clint Capela. The Pistons do it to receive a cheaper big under team control through 2023 who has extensive playoff experience and can either be flipped down the line or seen as part of their inevitable rebuild. Future picks, of which Houston barely has, would need to be involved, but Drummond is a much better player; if the Rockets want to go all-in (again), this sort of talent upgrade makes sense.
What if the San Antonio Spurs push Patty Mills, Rudy Gay, Lonnie Walker IV, and their 2020 first towards the middle of the table? Their spacing would be even more cramped but assuming Gregg Popovich can turn Drummond into the consistent center his talent suggests he can still be, that’s an intimidating frontline. If the Spurs like what they see and can keep Drummond motivated, they can phase into their next era with him and Dejounte Murray leading the way.
It’s hard to see the Dallas Mavericks interrupt their momentum for someone who probably wouldn’t close games, but just picture Luka Doncic running a stagger pick-and-roll with Drummond and Kristaps Porzingis. One pops and the other rolls. How do you guard that? (Sadly, the Mavs also don’t have much to offer beyond Dwight Powell, an expiring contract, and Jalen Brunson.)
There are other teams that would have theoretical interest — like the Los Angeles Clippers and Boston Celtics — but none are realistic enough to write about. If Drummond chooses to text the market this summer, would the Atlanta Hawks, Charlotte Hornets, or Cleveland Cavaliers bite?
What it all comes down to is situation, fit, and how dominant Drummond can still be if he’s willing to embrace a specific role. Despite his jaw-dropping numbers right now, it’s impossible to say he’s part of any short or long-term solution where he is. Including this year, Detroit’s defense is annually not good when he plays, and in eight seasons he’s only appeared in eight playoff games.
Something has to eventually break. Until it does, the Pistons will take the good with the bad, even though change feels like it’d do both sides a world of good.
0 notes
Text
With the third season of Rick and Morty on the horizon, and since I don’t think anyone’s done this before, I decided to give my ranking of all the Rick and Morty episodes (from the first two seasons).
My metrics for judgement are as follows: I’m attempting to judge the show purely on its own merits, which each episode being held to the question “is this the show at it’s best?”, which to my mind is a character-driven high concept sci-fi show that actively critiques but never outright condemns the humanist philosophies behind its chosen genre.
I’ve tried to avoid using other shows as a comparison unless it’s to illustrate a point, but in some cases it’s pretty unavoidable when this show unapologetically rips off its plots from movies wholesale. Episodes get more points for good story structure that adds to a good moral, strong critique or parody of an established science fiction trope that is otherwise well explored and strong character development that builds across episodes and firmly establishes a continuity. And when in doubt, it mostly comes down to “which would I rather rewatch if I only had those two competing episodes to choose from?”.
All clear? Alright, without further ado…
The Definitive Objective Extra-Schwifty Ranking of every Rick and Morty Episode
1. Rixty Minutes (S1E8)
Well, what else was it going to be?
What begins as an epilogue to Rick Potion #9 ends up becoming the central thesis for the entire show up to that point, that while the character’s existence isn’t significant on the cosmic scale and Summer’s birth basically creating the entire family was an accident of fate, sometimes seeing things from that perspective makes you realise how miraculous it is that you are here now, and instead of wrestling with your own insignificance and the possibility of “what could have been”, you accept and embrace the life that you have now, for all its faults. That those revelations are paired with the interdimensional TV both builds the tension for how the conflict happening outside of is progressing and relieves it by providing a reprieve from the revelations that happen from it. This episode is the show at its best, and probably one of the best episodes of television period.
2. Meeseeks and Destroy (S1E5)
One of the smartest writing decisions in the show is that it doesn’t do the old domestic magic/sci-fi show trope of having the main character’s adventures kept a secret from the rest of the family or having a convenient reset button at the end of each episode. Instead, it aims to explore the emotional consequences of interacting with Rick’s world, and Meeseeks and Destroy marks a turning point in the show where all of these adventures start to actually matter to the show’s continuity and to the character’s growth. This is actually my personal favourite episode, but I think it’s just shy of being the best for two reasons: the A-plot relies on a reversal of the normal story structure, with Morty leading the adventure instead of Rick so it’s not the most “typical” of the show overall, and the two plots don’t come together as fluidly as they do in Rixty. Still, it’s a very close call.
3. Auto-Erotic Assimilation (S2E3)
Beyond a few references at Beth’s mother and a few (potentially false) memories, we never really get to see how Rick operates in a romantic relationship. So it’s interesting to see Rick at his most vulnerable and with someone he actually has actually has some love for in Unity, the one-who-is-a-million that got away. An emotionally raw story about two people who are good together but aren’t good for each other, paralleled with a B-plot of Summer and Morty learning that given total freedom, humans (well, blue alien people) will undoubtedly give in to their worst impulses. Also, man, that ending is one of the most gut-wrenchingly depressing endings to a show I’ve ever seen, and it lands perfectly. Maybe a little too perfectly.
4. Morty-Night Run (S2E2)
Probably the show’s best straight-forward adventure episode, which helps set up the Galactic Federation conflict that will eventually pay off at the end of Season 2 and is probably the best demonstration of Morty attempting to apply idealistic Earth morality to a more morally complicated universe to which Rick is perfectly adapted. A plethora of memorable characters like Krombopulous Michael and Jemaine Clement’s crooning sentient gas cloud, some excellent psychedelic animation and art direction, and a consistently funny B-plot of Jerry’s time in a daycare full of alternate versions of himself and confronting just how pathetic he is make this episode a real winner.
5. The Ricks Must Be Crazy (S2E6)
This is the best of what I like to call the “nesting doll” episodes of the show, where the adventure is a continuous descent or ascent through several layers of the sci-fi trope of the week. The first two thirds of the episode are a great slow boil before the “oh, shit” moment of the Mini-Verse scientist killing himself, and the final race out of the teeny/mini/microverses, intercut with Summer in Rick’s car is one of the most expertly paced sequences in the entire show. It’s also the only episode that gives Rick a compelling nemesis in the form of Zeep Zanthorp - a being he unintentionally created who is smart enough to challenge him, which annoys Rick to no end. I really hope they bring him back, since Rick is pretty short on compelling enemies (besides the Council of Ricks). Fingers crossed for some car trouble in Season 3.
6. Close Encounters of the Rick Kind (S1E10)
The idea of Rick being the only person(s) able to challenge him could have served to make Rick a little too smug and perfect for his own good, but the Council of Ricks serve as the perfect synthesis and literalisation of Rick’s self-loathing and his detest for sprawling authoritarian institutional bodies. Every alternate timeline/universe/dimension (do they ever settle on one definition? They’re all used fairly interchangeably) strike a perfect balance between absurdist weirdness and incredibly internal consistency, and every rewatch makes you pick up on new details you didn’t notice before. And look, I’m not made of stone, Jerry and Doofus Rick’s friendship is actually quite sweet, and I hope they get reunited someday.
7. Look Who’s Purging Now (S2E9)
The main character throughline of Season 2 is seeing how Rick and Morty start to rub off on each other over the course of their adventures. This comes to a head in this episode as we see how willing Morty is to emulate Rick in his amorality when he goes “full Purge” and how Rick is taken aback by what his grandson could become following in his footsteps while also confronting the limits of his joy/apathy of the bloodshed that ensues from his adventures. It also has the sharpest piece of social satire the show has ever done, where after the newly freed aliens try to rebuild society after the overthrow of their aristocratic overlords devolve into arguing over the division of labour and wind up reinstating the Purge again anyway from the frustration of having to create a functioning society again. Defeatist? Maybe. Hilarious? Absolutely.
8. Rick Potion #9 (S1E6)
Probably the episode that’s most important to the overall canon of the show. It sets the tone for the adventures to follow, gives a true point of no return for the show as a whole, as well as a great deconstruction of status-quo beholden storytelling and the creepy ethics of love potion plots. Had this just been a ranking of season one episodes, it would probably rank higher, but as you can probably tell by this list, the show has definitely topped this one since. I also want to point out just how incredible the show’s art direction and character creation is when it comes to all the varying designs of the Cronenbergs. I really hope the animators got a raise after this episode.
9. Total Rickall (S2E4)
The Thing through the lens of a Community clip show turns into a paranoid existential thriller that escalates perfectly, has an excellent twist that probably ended up ruining a load of friendships in real life and revealed a ton about how the Smith family operates and sees each other. It does test the limit for how many wacky characters you’re willing to put up with, and it can’t really escape the insular insubstantial feeling of bottle episodes as a whole, especially if you buy into the theory that this episode and Morty-Night Run take place in another universe and so it doesn’t really matter to the show’s continuity as a whole. But it give us Mr. Poopy Butthole, so I’m willing to forgive it.
10. Big Trouble in Little Sanchez (S2E7)
This is a tough one to rank, because it has the greatest disparity of quality between the A plot and B plot. Beth and Jerry’s “mythologue” oriented marriage counselling is such a perfect science-fiction idea of making a metaphorical conflict real that it probably had enough to be the plot of the whole episode. Unfortunately, it’s paired with a B plot that tries to do the same thing with Tiny Rick. He’s funny as a visual, but the episode has to go to some lengths to inject tension into the proceedings. Why can’t Rick just stay in his young body forever other than some convoluted explanation about how teenagers push all their bad feelings into the back of their minds and therefore Old Rick will be erased (I think?). I felt it could have used an additional conflict where Rick loses some of his scientific brilliance because of his young brain overwriting his old one, or maybe a better acknowledgement that Summer was the one that pushed Rick into a self-described hackneyed high school plot that even he found too simple a pitch. Still, it cracks the top ten on the strength of the Beth and Jerry plot alone, which I plan to go into more depth about later, so stay tuned.
11. Anatomy Park (S1E3)
There are three inevitabilities in this world: death, taxes and sci-fi shows doing a Fantastic Voyage plot. Rick and Morty’s take is to fuse it with Jurassic Park and also have it be the show’s Christmas episode, which gives us a story which is never dull and has a lot of great jokes (“Oh, never mind, I was thinking of the T. rex”) but doesn’t come together in any interesting way other than the blood raining at the end, which also raises the question of whether the show was planning at this point to keep Rick and Morty’s adventures a secret from the rest of the Smiths. Also, I’m of the mind that Christmas episodes tend to work better when they’re placed later in the show’s run, as all the familial conflicts can play out better when you’ve had more time to get to know the characters and how they became the way they are It’s good, Maybe could have been better had it aired later in the show’s run and the writers had a better idea of what the show’s status quo was.
12. Raising Gazorpazorp (S1E7)
Having an adolescent raise a baby warmonger alien is some great application of science fiction to the mundane, and Morty’s relationship to Morty Jr. yields some touching moments. Tthe gender politics of planet Gazorpazorp feel a bit rote and stereotypical and an excuse to make a lot of obvious “battle of the sexes” jokes, and raises a lot of gripes I have regarding how mainstream science fiction comedy approaches and incorporates women and the feminine into its worlds, even if it does a little bit of softball criticism by drawing attention to Rick’s casual misogyny. Good, but could have been better.
13. The Wedding Squanchers (S2E10)
A great finale that pays off the long-brewing confrontation between Rick and the Galactic Federation, and sets up a lot of interesting developments for Season 3. But as a result of that, it kind of feels a little incomplete in a way that the first season finale didn’t because they knew they were getting renewed.
14. A Rickle In Time (S2E1)
I loved the multiple timeline split-screen bits and Rick explaining at length about how he doesn’t care about Morty and Summer, which sets up what I believe to be Rick’s arc through Season 2 revealing his softer side. But the Beth and Jerry B-plot is basically just trying to give them something to do, doesn’t really contribute any tension to the situation back home and doesn’t tell us anything new about their relationship.
15. Pilot (S1E1)
As pilots go, Rick and Morty’s one is pretty good. It tells you everything you need to know about the scope of the show, its characters and the type of humour you can expect from it. The “Rick and Morty hundred years!” rant is one of the show’s best moments. But it was clearly still finding its voice, and there’s a bit of weirdness in that you think the show is going to pivot the way having the rest of the Smith family not know about Rick and Morty’s adventures, which they thankfully did away with.
16. Ricksy Business (S1E11)
Despite introducing us to Birdperson and Abradolph Lincler, this episode feels kind of unremarkable in retrospect, and ultimately just feels like they threw in all of the ideas they couldn’t fit into the earlier episodes into this one in case they didn’t get renewed.
17. M. Night Shaym-aliens (S1E4)
The second best of the “nesting doll” episodes. The simulations inside simulations are a great Inception riff, even better than their actual Inception parody (more on that in a second). We really get a good look at Jerry’s insecurity and what drives him as a character, and the first real demonstration of Rick’s cunning and preparedness that also helps lay out the cosmic scope of his reputation. However, I don’t find the Zigerian scammers that funny, despite David Cross’ best efforts as the voice of their leader, and they’re a little too similar to the nudist scammer aliens from the first Futurama movie for my liking - the fact that they’re squeamish about nudity had to be a dig at that, surely?. But the overall set-up is solid and seeing Jerry casually strut through a low-res simulation of his life is pretty hysterical.
18. Lawnmower Dog (S1E2)
The worst (or really, the least good) of the “nesting doll” episodes. The direction the Scary Terry plot goes in is unexpected, clever and genuinely touching, but I don’t find the “dogs take over the world” plot that remarkable in any way, especially in comparison to the rest of the show.
19. Get Schwifty (S2E5)
This episode got a lot of shit when it aired, and it’s easy to see why, seeing that it had to follow a hat-trick of three great episodes. It’s a fairly solid Independence Day/Day The Earth Stood Still parody, but it’s definitely the show’s most lazily conceived plot, not to mention that I’m fairly sure that entire sections of the script appear in the previous episodes. That said, the giant space heads are a great visual (and gave us some great meme fodder), and it sets up the endgame of The Wedding Squanchers by reintroducing us to Birdperson and Tammy, if very inelegantly.
20. Interdimensional Cable II: Tempting Fate (S2E8)
On my first watch of this, I didn’t find this episode that funny, and the only TV bit that really made me laugh out loud was “Man vs Car”. The context for the Interdimensional Cable here, instead of being a distraction from the potential collapse of Beth and Jerry’s marriage is them waiting in a hospital for Jerry to recover from a fatal alien illness, which could be a potentially interesting idea if he hadn’t been immediately cured at the episode’s beginning, which immediately sucks all the tension out of the episode. Where the tension in Rixty Minutes (the episode this is self-plagiarising) lies in whether the Smith family will ultimately be broken up for good, this one ends up hinging on...the fate of Jerry’s penis. It keeps trying to ring some tension out of Jerry wanting to feel significant for having saved the galaxy’s answer to the Dalai Lama, and while I like the ultimate lesson that you can’t make people love you, the journey to get there doesn’t really work as well as it could have. They even make a meta-dig at themselves that they can’t improve on perfection, and at that point you kind of give this episode the ranking it deserves.
21. Something Ricked This Way Comes (S1E9)
At its best, Rick and Morty subverts and deconstructs well-worn science fiction tropes and the plots and lessons that tend to play out when played straight, and works best when it incorporates those proceedings with examinations of the American family dynamic and how we fight the daily battle of finding some kind humanist purpose and meaning in our lives in a universe for which that pursuit is bound to end in failure. While this episode has the best Summer plot and arguably the show’s best joke in the form of the Butter Passing Robot, Ricked is probably the most lazily conceived version of itself possible, picks a lot of very easy targets and ends up feeling very bored with itself as a result. While it aims to be an examination of how science fiction stories have replaced or perhaps better refine the old superstitions and morality lessons that horror stories play off, while actively critiquing how similar the two genres are in execution, the actual plot is basically Rick becoming a mouthpiece for how much the writers hate superstitious thinking and going “haha you brought Stephen King to a Kurt Vonnegut/Stanislaw Lem fight, get riggedy-riggedy-rekt son”. The B-plot of Jerry insisting that Pluto is a planet pokes fun at climate change denialism, and while a great demonstration of how facts and evidence have become summarily rejected in political discourse in favour of dogma and superstition, it doesn’t escalate into anything bigger like the best episodes of the show do. Hell, they can’t even agree on what the moral is at the end, and instead just resolve to literally beat up some political strawmen in lieu of actually finding a cohesive message. While that might be cathartic to some, for a show that isn’t content to give its audience easy answers, it’s punching well below its weight.
1 note
·
View note
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes
Text
Chrome's HTTP warning seeks to cut web surveillance, tampering
New Post has been published on https://britishdigitalmarketingnews.com/chromes-http-warning-seeks-to-cut-web-surveillance-tampering/
Chrome's HTTP warning seeks to cut web surveillance, tampering
Update, July 24: Google has released Chrome 68, adding the HTTPS “not secure” warning.
HTTP, one of the technologies that’s made the World Wide Web work since Tim Berners-Lee invented the web more than 25 years ago, just got a big black mark by its name, thanks to Google’s Chrome web browser.
The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering.
That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.
“This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets,” said Emily Schechter, Chrome security product manager, in a blog post Tuesday.
Chrome will show the words “not secure” next to the website in the address bar if it’s not encrypted. It’s a pretty open-ended warning, but you probably don’t need to panic if you see it. It’s far more likely to mean that it’s time for website operators to update their sites than it is an alert somebody is trying to do something nefarious with your personal information.
Chrome is changing how it handles websites loaded with HTTP, which doesn’t encrypt data. The old way shown at top is being replaced with a “not secure” warning shown in the center example. At bottom is the warning Chrome shows if you click on the information icon.
Stephen Shankland/CNET
But that doesn’t mean you should be complacent. Online privacy is in short supply, as revelations from former NSA contractor Edward Snowden and scandals like Cambridge Analytica show. Even passive monitoring of unencrypted web traffic, while less severe than attacks that can steal your password, can reveal a lot about you.
Chrome has a lot of leverage over the web. It accounts for 59 percent of web traffic, according to web analytics firm Statcounter, and Chrome surpassed a billion users in 2015.
Here’s a look at what’s changing and why.
What’s so bad about HTTP?
HTTP has served the web well, but it’s vulnerable to all manner of problems from anyone that controls the network you’re using. That includes in-flight Wi-Fi, coffee shops, hotels and, of course, your internet service provider.
“Using HTTP for a website instead of HTTPS has always been problematic,” said Nick Sullivan, head of cryptography at Cloudflare, a company that helps websites keep up with traffic demands. “Every interaction you have with a website that is unencrypted is broadcasted to an unknown set of companies in arbitrary locations across the globe. This is a massive privacy problem. It’s also a security problem because the website content can be modified along the way without the user knowing. This invites intermediaries to insert ads, trackers or malicious software to websites.”
Troy Hunt, an independent security researcher, made a video that catalogs abuses that are possible with HTTP websites. Malicious actors can:
Insert ads or other content that aren’t in the original website, something Comcast has done with copyright warnings and modem update pop-ups.
Inject invisible software that mines cryptocurrency for somebody else’s financial benefit, something an Argentinian Starbucks store did in 2017.
Redirect people to fake websites with a technique called DNS hijacking so their usernames and passwords can be intercepted.
Governments with control over their nation’s internet infrastructure get extra abilities, too. China’s “Great Cannon” used unencrypted HTTP connections to turn visitors to Baidu’s website into unwitting attackers of the Github programming website. And Egypt has injected ads and run cryptocurrency mining software on people’s computers, according to the Tor Project for advancing private web use and the Association for Freedom of Thought and Expression, a nonprofit that monitors Egyptian network censorship.
China and Egypt may seem distant to some, but US law enforcement authorities don’t like encryption, either. FBI Director Christopher Wray earlier in July warned that tech companies that don’t comply with its push to weaken encryption could face legislation requiring them to do so.
What’ll I see in Chrome with an HTTP website?
Chrome’s changes have been gradual, starting with the Chrome warning plan way back in 2016 and continuing with a warning in February that the HTTP “not secure” alert would arrive in July. Here are the steps in the transition.
Right now if you visit an HTTP website, Chrome shows a circled “i” icon to the left of the address denoting an opportunity for more information. If you click it, Chrome says, “Your connection to this site is not secure.” That’s not particularly alarming, though it isn’t as comforting as the green padlock and word “secure” shown there for an HTTPS-protected connection.
Starting Tuesday with Chrome 68, an HTTP connection instead will show the words “not secure” alongside the information icon.
Then Chrome 69, due in September, will emphasize that secure HTTPS connections are ordinary, not something surprising, by dropping the green color for the padlock icon and “secure” word it shows now. Instead you’ll see a less noticeable black lock, Google said in a May blog post. At some point later, that lock will disappear as Google tries to convince us that HTTPS should simply be what we expect.
Last, in October, Chrome 70 will take a more aggressive stance against unencrypted HTTP sites by changing the black “not secure” warning to a more alarming red color.
Mozilla said it’s focusing on other privacy efforts in Firefox for now. “When we have a specific timeline to share for marking all HTTP connections as insecure we will announce it.”
Apple’s Safari today doesn’t show any particular alert. Microsoft’s Edge shows an information icon for HTTP connections that, when clicked, offers a warning: “Be careful here. Your connection to this website isn’t encrypted. This makes it easier for someone to steal sensitive information like passwords.”
Why haven’t we been using HTTPS all along?
HTTPS is decades old, but in the early days of the web, it was only used to protect us when typing obviously sensitive data like passwords and credit card numbers into websites.
Why was it unusual? Years ago, HTTPS taxed server processors and network speeds, and website operators had to pay for certificates that enabled the feature. The performance problems have long been solved, though, and an effort called Let’s Encrypt — sponsored by Google, Facebook, Mozilla, Akamai, Cisco Systems, Brave and the Electronic Frontier Foundation, among others — means certificates are now free.
After years of effort by tech companies, protecting websites with encrypted HTTPS connections is becoming ordinary. These usage statistics show that the overall population of Firefox users now get secure website connections 73 percent of the time.
Let’s Encrypt
That doesn’t mean moving to HTTPS is necessarily easy, though. It took NASA months to update its 3,000 websites to 95 percent HTTPS.
And the web is big. Really big. The internet has 1,663,673,364 websites, according to the latest tally by web monitoring firm Netcraft.
Google’s choice to call out HTTP sites as insecure, though, means there’s a strong new disincentive for website operators to put it off anymore.
Some would like to see browsers make us jump through even more hoops to load HTTP websites. “Users should have to opt-in to putting themselves at risk,” said Josh Aas, executive director of Let’s Encrypt. “Nobody is saying the old unmaintained websites have to be taken down. It’s absolutely not worth putting everyone at risk by default just to enable viewing historic or unmaintained websites.”
Who doesn’t use HTTP?
Most of the big sites you’re likely to use protect your connection with HTTPS — Google, Facebook, Yahoo, eBay, Microsoft, Amazon, Twitter, Instagram. Even if you explicitly request their nonsecured pages by typing an address beginning “http://” they’ll upgrade you to a secure link anyway.
But there are others that aren’t there yet. Some, like Chinese search company Baidu and e-commerce company Alibaba, will give you an HTTP page if you just type their URLs into the address bar, but will give you an encrypted page if you type “https://” before the addresses.
Others, like ESPN.com and BBC.com, give you the unencrypted website even if you specifically request the encrypted one.
HTTPS is steadily spreading, though. The Let’s Encrypt effort issues more than 600,000 HTTPS certificates per day, and more than 73 percent of website connections made with Firefox are secure today.
And in the most recent of his twice-yearly assessments, security researcher Scott Helme said the number of encrypted websites among the Alexa list of the top million grew 32 percent from the previous study.
What problems will ‘not secure’ HTTP cause?
Even though upgrading to HTTPS is easier now, change is always difficult. It can mean extra work for administrators and others. The Chrome team’s choice about what’s best for the web can irritate people.
“Some people just don’t want to do the work to secure their site, and at the same time they don’t want the fact that it’s not secure to be communicated to their visitors,” Aas said.
Dave Winer, notable on the internet for having invented blogs and the RSS technology used to inform subscribers of updates to them, is a prominent critic of Google’s “not secure” warning for HTTP websites. He likens the move to “a massive book burning” because of the effect he fears it will have on older websites.
CNET Daily News
Get today’s top news and reviews collected for you.
The HTTPS fans disagree.
“This is not like book burning. It’s more like requiring restaurants to publicly display their health rating score,” said Cloudflare’s Sullivan. “Informing the public about a problem with a service is a great way to encourage the service’s owner to fix it.”
Another wrinkle: With HTTPS certificates so easy to obtain these days, it’s less of an assurance that a site is legitimate. “Encrypting web sessions does not guarantee that the site itself is safe,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance initiative. “Bad actors can provide HTTPS too.”
Will that slow down the move to HTTPS?
Nope.
With years of pushing, the obstacles to HTTPS adoption are lower and the incentives to use it are higher. In addition to Chrome’s warning and Let’s Encrypt free certificates, there are now lots of online resources from Google, Hunt and others. And newer browser features often require HTTPS. It’s pretty clear where the future is headed.
“The Internet Society believes that encryption should be the norm for Internet traffic and that this is an important additional step in ongoing efforts by the technical community to address the issue of pervasive monitoring,” Wilbur said.
Ultimately, HTTPS becoming ordinary means a harder time for attackers, snoopers and data thieves.
“When we stood up the World Wide Web, we gave nobody any assurances who they’re talking to. We got away with for it for 25 years,” Hunt said. But now we’re moving toward a future where the “not secure” HTTP warning will become a rarity. “We’ll look back at this time in five years or so and say, ‘Wasn’t that crazy?'”
First published July 23, 5 a.m. PT. Update, 12:05 p.m.: Adds details about how other browsers handle HTTP connections. Update, July 24, 10:52 a.m.: Notes that Google has begun releasing Chrome 68 with the HTTP warning and adds a comment from Google.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin — and soon, too, a myriad of services that will change your life.
Source: https://www.cnet.com/news/chrome-warns-of-not-secure-sites-to-cut-web-surveillance-tampering-faq/
0 notes